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The unconditional security of a quantum key distribution protocol is often defined in terms of 
the accessible information, that is, the maximum mutual information between the distributed key S 
and the outcome of an optimal measurement on the adversary's (quantum) system. We show that, 
even if this quantity is small, certain parts of the key S might still be completely insecure when S is 
used in applications, such as for one-time pad encryption. This flaw is due to a locking property of 
the accessible information: one additional (physical) bit of information might increase the accessible 
information by more than one bit. 
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SECRECY IN CLASSICAL AND QUANTUM 
CRYPTOGRAPHY 



Secret keys play an important role in cryptography. 
They are used for various tasks such as the encryption 
or authentication of messages. Clearly, the security of 
these cryptographic tasks strongly depends on the level 
of secrecy of the underlying key. 

The strongest and thus most desirable notion of secu- 
rity for a secret key S is called perfect security and is 
characterized by two conditions: 



(i) any value of S is equally likely (i.e. 
Ps is uniform on a key space S); 



the distribution 



(ii) an adversary has no information on S (i.e., the state 
of any system controlled by an adversary is indepen- 
dent of the value of S) . 

Such a perfectly secure key allows for the realization of 
highly secure cryptographic schemes. For example, if S 
is used as a one-time pad |ïg to encrypt a message M, 
the resulting ciphertext C is independent of M and thus 
completely useless for an adversary. 

It turns out, however, that — even with the help of 
quantum mechanics — it is generally impossible to gen- 
erate perfectly secure keys. One thus usually considers 
slightly weakened security definitions. For example, con- 
dition (ii) might be substituted by a bound on the in- 
formation that the adversary has on S. This, however, 
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raises qüestions such as: What is an appropriate mea- 
sure to quantify the adversary's information on 5? How 
to choose the upper bound on this information such that 
it is guaranteed that S can safely be used in applications? 

In the context of classical information-theoretic cryp- 
tography 0|, the adversary's knowledge on a key S is 
most generally characterised by a classical random vari- 
able Z. An n-bit key S is then said to be secure |2(j if, 
for some small e > 0, 



H(S) > n 
I(S;Z) < e 



(1) 
(2) 



where H(S) denotes the Shannon entropy of S and 
I(S;Z) := H(S) — H(S\Z) is the mutual information 
between S and Z. Inequality implies that S is al- 
most uniformly distributed; it is thus an approximation 
of condition (0) above. Similarly, is an approximation 

of ijnji. 

In quantum cryptography the knowledge of an adver- 
sary on a (classical) key S is described by the state of 
a quantum system E instead of a classical random vari- 
able Z . Accordingly, the mutual information occurring in 
criterion is thus usually generalised to the accessible 
information I^c^S; E), which is defined as the mutual 
information between S and the outcome Z of an optimal 
measurement applied to E (see Section [ü] for a formal 
dcfinition). The quantum version of (J2J then reads 



hcc(S;E) <e . 



Inequality (^fl) seems to be a natural formalisation of the 
rcquirement that an adversary has almost no informa- 
tion on S and is in fact commonly used in the Standard 
literature on quantum cryptography and, in particular, 
quantum key distribution |21|. However, as we shall see, 
it is generally not sufficient to guarantee secrecy. 
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The remaining part of the paper is organized as fol- 
lows. In Section [l·lj we review the definition of accessible 
information and its locking property. Section IIIII is de- 
voted to an explicit example of locking of the accessible 
information. This example is then used in Section llVI to 
show that, even if the accessible information of an adver- 
sary on the key S is arbitrarily small, S might still be 
insecure for certain applications. Finally, in Section 
we discuss an alternative security definition which over- 
comes this problem. 

II. LOCKING OF ACCESSIBLE INFORMATION 

Let E be a quantum system whose state depends on 
the value of a classical random variable V. This situa- 
tion may be described using the so-called enlarged Hilbert 
space representation by encoding the random variable V 
into a quantum system with respect to an orthonormal 
basis {|u)} ve v as follows: 

Pve :=y]Py{v) \v){v\ <g> Pb\v=v , 
vev 

where Pe\v=v 1S the state of E conditioned on V = v. We 
will refer to a state of this form as a {cq} -state. We will 
also use generalisations of this convention to triparite Sys- 
tems with two classical parts and call the corresponding 
states {ccq} -states. 

For any {cçj-state pve, the accessible information (of 
E on V) is defined as |23 

I acc (V;E) :=max/(y;Z) 

M 

where the maximum is over all local POVMs Ai on E 
and where /(V; Z) denotes the mutual information be- 
tween V and the measurement outcome Z. The accessi- 
ble information I acc (V; E) thus quantifies the amount of 
information on the classical value V that can be obtained 
by an optimal measurement applied to the quantum sys- 
tem E. 

Consider now an extended setting involving an addi- 
tional random variable Y, that is, the situation is de- 
scribed by a {cc<?}-state pvye- Let 23| 

A :=L !ícc (V-YE)-L eíCC {V;E) 

be the amount by which the accessible information on V 
increases when Y is appended to E. The quantity A thus 
measures by how much the knowledge on V increases 
if one learns Y (given access to the quantum system 
E). Interestingly, A can generally be larger than the 
size of Y, i.e., the number of bits which are needed to 
represent its value. This phenomenon is known as lock- 
ing and will be the main tòpic of the next section. 
It should be emphasized that locking is a purely non- 
classical property. In fact, if the quantum system E is 
substituted by a classical random variable Z, we have 
A = I(V; Y\Z) < H(Y) 24], that is, A cannot be larger 
than the size of Y. 



III. AN EXAMPLE OF LOCKING 

In this section, we give an explicit example of locking. 
Compared to previously known constructions Q, 0, , it 
has some additional properties which are needed for our 
considerations related to cryptography (see Section IÏV|) . 

In order to formulate our example of locking, we use 
the following notational conventions: ei, 02,(73 are the 
Pauli matrices on the Hilbert space C 2 . For any m-tuple 
y = (yi, ... , y m ) on {1, 2, 3}, we denote by a y the m-fold 
tensor product <r yi ® ■ • • ® a Vm . Lemma |ü] summarises 
some properties of these operators, which we will use 
rcpcatcdly in the following. 

Let X and Y be random variables on the binary set 
X := {0,1} and the set of m-tuples y := {l,2,3} m , 
respectively, such that the joint probability distribution 
Pxy is uniform. Moreover, for any x € X and y £ y, let 

PE\(X,Y) = (x,y) ■= 2~ m (id( C 2)« m + (-l) X 0- y ) (3) 

be an operator on (C 2 )® m , representing the state of a 
quantum system E conditioned on X = x and Y = y. 
It is straightforward to check that this is a consistent 
description of a {ccç}-state pxye PH - 

Note that for any fixed y € y, the conditional quantum 
states Pe\(x,y)={o, v ) and p E \(x,Y)=(i, y ) are orthogonal. 
In particular, given access to the quantum system E, 
the value of X can be determined with certainty if Y is 
known, that is, we have the following statement. 

Lemma 1. Let pxye be the {ccq} -state defined above. 
For any fixed value y G y of the random variable Y , 
there exists a measurement of the quantum system E with 
output equal to X . 

On the other hand, if the value of Y is unknown, then 
any measurement on E reveals almost no information on 
the pair (X,Y). 

Lemma 2. Let pxye be the {ccq}-state defined above. 
ThenI acc (XY;E) < 

Proof. We show that, for any measurement M. applied 
to the quantum part E of pxye with outcome Z , the 
entropy of the pair (X, Y) conditioned on Z is boundcd 

by 

H(XY\Z) > H{XY) - . (4) 

The assertion then follows because I acc (XY- 1 E) — 
H(XY) - min M H(XY\Z). 

Let Af := {d ■ P X Y(x,y) ■ PE\(x : Y)=(x :V )}(x,y)exxy 
where d := 2 m is the dimension of E. Because p E is 
the fully mixed state on E, Af is a POVM on E. By a 
similar derivation as in 0, it can be shown that 

H{XY\Z) > mmH(AÍ[<j]) (5) 
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where the minimum ranges over all states a on E and 
H(AÍ[a]) is the entropy of the outcome when the mea- 
surement N is applied to a (see Lemma in the Ap- 
pendix) . 

Using the fact that pye — Py ® Pe where pe is the 
fully mixed state, the term in the minimum of 10 can be 
rewritten as [2(| 

H(M[a])=H(Y) + E [H{M y [a])] (6) 

y<-Py 

where, for any y £ y, H{N y [<j\) is the entropy of 
the output of the POVM N y := {d ■ P X \y= v {x) ■ 
PE\(x,Y)={x,y)}x£X applied to a. Because for every y £ y 
the POVM Aí y is binary-valued, this quantity is easy 
to bound. More precisely, as the binary entropy func- 
tion h(p) := —plogp — (1 — p) log(l — p) satisfies h(p) > 
1 — \p — (1 — p)\ for every p £ [0, 1] and 

I te(cr(pE\(X,Y)=(o,y) ~ Pe\(x,y)=(i, v )))\ = 2- m+1 tr(a y a) 

for every y £ y and every state a on (C 2 )® m , we obtain 
by a straightforward calculation 

E [H(Aí v [a])] > 1 - -j- ■ ( ? ) 

v^p* \y\ f£ 

Applying the Cauchy-Schwarz inequality gives 

4- y^\tr(a v a)\ < —^= /Vtrícr.cr) 2 < f | ) , 

\y\ttJ y >{ -vm\lk> - w 

(8) 

where the last inequality is a consequence of the fact that 
tr(cr 2 ) < 1 for every state a on (C 2 )® m , which implics 
X^gytrO^cr) 2 < 2 m [cf. (EU]. Combining ©, 0, © 
with © and using the fact that 1 + H(Y) = H(XY) 
implies Q and thus concludes the proof. □ 

Because of Lemma ^ we have I eLCC (XY;EY) = 
H(XY). Hence, together with Lemma |21 we conclude 
that the quantity A = I acc (XY]EY) - I acc (XY;E), as 
dcfincd in Scction [HI with V :— (X,Y), is arbitrarily 
close to H(Y) + 1. We thus have a locking effect: The 
difference A is larger than the size of Y. 



IV. SMALL ACCESSIBLE INFORMATION 
DOES NOT IMPLY SECRECY 

The locking property of the accessible information 
has dramàtic implications for cryptography. To illus- 
trate this, we consider an n-bit key S = (S\,...,S n ) 
together with a quantum system E controlled by an 
adversary such that, for some bijective mapping /, 

Ps„/(Si,...,S , „_i)b = Pxye H3> where p X YE is the {çcq}- 
state as deflned in Section lïïïl (for to w nj log 2 3) [28| . 



It is an immediate consequence of Lemma |2 that the 
key S satisfies the security criterion iJSJJ of Section^J i.e., 

7 acc (5; E) = I acc (XY ;E)<e, (9) 

where e := e ~ decreases exponentially fast in the key 
length n. However, as illustrated by the following exam- 
ple, this is not sufficient for certain applications. 

Assume that the key S is used to encrypt an n-bit mes- 
sage M = (Mi, . . . , M n ) by one-time pad encryption and 
let C — (Ci,...,C„) be the corresponding ciphertext. 
Moreover, assume that an adversary has some a priori 
knowledgc which fully determines the first n — 1 message 
bits Mi,...,M„_i 29|. Upon receiving the ciphertext 
bits Ci, ... , C„_i, the adversary can thus easily infer the 
first n— 1 key bits Si, . . . , S n —i- Hence, by Lemma^ shc 
is now in a position to choose an appropriate measure- 
ment of her quantum system E which reveals the nth key 
bit S n with certainty. The encryption of the nth message 
bit M n is thus completely insecure. 

V. ALTERN ATIVE SECURITY DEFINITION 

According to the discussion in the previous section, 
dcfining secrecy with respect to the accessible informa- 
tion is problemàtic in a quantum world. This raises the 
question whether there are stronger security definitions 
which, e.g., imply that a secret key can safely be used for 
one-time pad encryption. As shown recently the 
answer to this question is positive |3Cj . 

Let pse be a {cç}-state describing a classical key S 
together with the quantum knowledge of an adversary, 

i.e., pse ■■= J2ses p s( s )\ s )( s \ ® Pe\s=s where {|s)} se 5 
are orthonormal states representing the value of S. 

Definition 3 ([5, 6]). A random variable S on S is 
called an e-secure key with respect to E if pH / 

\\pSE ~ PU® Pe\\ < £ , 

where pu := ^2 seS rgr| s )( s l * s the completely mixed state. 

As discussed in e-security has an intuitive inter- 
pretation: With probability 1 — e, the key S can be con- 
sidered identical to a perfectly secure key U, i.e., U is 
uniformly distributed and independent of the adversary's 
information. In other words, Definition|21guarantees that 
the key S is perfectly secure except with probability e. 
Clearly, this is still true if <S* is used in any application. 

Interestingly, this strong type of security can be 
achieved quite easily. For example, it has been shown 
that the key computed by applying a two-universal hash 
function to a random string with sufficient entropy satis- 
fies Definition 13 32]. Security pjoofs of QKD which are 
based on this result (see, e.g., (3) are thus not affected 
by the problem discussed above. 

The following lemma shows that strongly secure keys 
can also be obtained by measuring predistributed Bell 
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states |<£> + ) (or approximations thereof). It follows from 
this statement that security proofs based on entangle- 
ment purification (where the entanglement is usually 
measured in terms of the fidelity to a fully entangled 
state, as, e. g., i n || Üj) can easily be adapted to meet 
DefinitionEHH! (see also 0]). 

Lemma 4. Let e > and let pab be a bipartite quantum 
state such thatF(p ABl |$+)®«) > y/ï - e 2 . Then the two 
n-bit strings resulting from local measurements of pab i n 
the computational basis are e-secure keys (with respect to 
an adversary holding a purification of pab)- 

Proof. According to Uhlmann's theorem, there exists a 
pure state \k) and a purification |0) of pab with some 
auxiliary system E such that 



\ 071 



\k}) = F(pA B A* + r n ) 



Using the relation ||p — a\\ < y/T 
sumption of the lemma, we find 



F(p, a) 2 and the as- 



||e)(e|-(|<j> + >($ + |®| K }( K |) 



0ii I 



< £ . 



Let ps A s B E be the {ccg}-state describing the situation 
after measuring |0) with respect to the computational 
basis in A and B. Because the trace distance can only 
decrease under physical operations, we conclude 



\\PSa s b e - Puu ®o- E \\ < £ 
where p uv = E se {o,i}" ^l s X s l ® k)<«l- 



□ 



VI. CONCLUSIONS 

The setting considered in this paper consists of a clas- 
sical n-bit string S = (Si, . . . , S n ) (for any n £ N) and a 
quantum system E such that the following holds: (i) any 
measurement on E chosen independently of 5* only re- 
veals a negligible amount of information about S (i.e., 
Iacc{S]E) is exponentially small in n) and (ii) given the 
first n.— l bits of S 1 , there exists a measurement on E 
which determines the value of the nth bit with certainty 
(i.e., I acc {S;ES\, . . . , S n -i) = n). 

This example of locking reveals a weakness of security 
dcfinitions based on the accessible information as they are 
used in the Standard literature on quantum cryptography. 
In particular, a secret key which is secure according to 
such a definition might become completely insecure when 
it is used in certain applications ÍSection liVfl . A possible 
solution to this problem is to use the stronger yet still 
achievable notion of e-security (Section 0) : An e-secure 
key can safely be used in any application — except with 
some (arbitrarily small) probability e. 
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APPENDIX 

Let pve be a {cç}-state. Lemma|S]gives a lower bound 
on the entropy of V conditioncd on the outcome of any 
measurement on E. 

Lemma 5. Let pve be a {cq}- state with the property 
that Pe is the completely mixed state on E. For some 
fixed POVM M applied to E, let H(V\Z) be the entropy 
of V conditioned on the outcome Z . Then 

H(V\Z) > mmH(AÍ[a}) 

where a ranges over all states on E and H{Af[a]) de- 
notes the entropy of the outcome when the POVM Af := 
{dim(E) ■ Pv{v) ■ Pe\v=v}v£V is applied to a. 

Proof. The fact that pe is the completely mixed state on 
E implies that M is a POVM. The same fact also implies 
that the measurement result Z is distributed according to 
Pz{z) — tr ^ f '' ) for every outcome z, where d :— dim(iJ) 
and M z are the operators of the POVM Ai. This in turn 
gives 

„ f , x Pv(v) ■ P zlv (z\v) tr{M zPElv=v ) 
p v\z(v\z) = — H- = d-Pv{v) 



Pz{z) 



tr(M») 



Hence 



H(V\Z) > minií(V|Z = z) > min R(P%) , (10) 

2 CT 

where the minimum is over all non-zero operators a on 
E with < à < id.E and Py is the distribution 

B \x{pp E \ V=v ) 

Pv{v) ■= — pr d-P v (v) . 

tr(o-) 

Note that for such an operator <t, the operator o := tr ^-^ 
is a state on E. The assertion thus follows from (|10|) and 
the observation that M\a\ = P^ 



v 



□ 



The next lemma summarises some properties of tensor 
products of Pauli operators. As in Section II I II for any 
m-tuple y — (yi, . . . , y rn ) on {0, 1, 2, 3}, a v denotes the 
m-fold tensor product a yi • • • ® cr Vm of Pauli operators. 

Lemma 6. The following holds for all m-tuples y,y' € 
{0,l,2,3} m . 

fi) 0~l = (Ty 

(ii) tr(a y ) = 2 m .Sy fi . 

(iii) The eigenvalues of a y are { — 1,1}. 
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(iv)tr{<jl<T y ,)=2™-5 y>yl . 

Lemma El implies that the operators {2~tt • 
a y}ye{o, 1,2,3}™ form an orthonormal basis of the space 
of hermitian operators on (C 2 )® m with respect to the 
Hilbert-Schmidt scalar product (A,B) := tr(A^B). In 
particular, every state a on (C 2 )® m can be written in 



the so-called generalised Bloch representation as 

ye{0,l,2,3}"· 

where the coefncients tr(a y a) are real-valued. 
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In a one-time pad encryption scheme [lOj, a string M of 
message bits is encrypted with a key S of the same length. 
The ciphertext C is given by bitwise addition (modulo 2) 
of M and S. 

For an introduction to classical information-theoretic key 
agreement^ 
See, e.g., _ 
See, e.g., lIlaÏÏIliaÏÏ3 

and also the discussion in 

and @. 

In the literature, the accessible information is often de- 
fined in terms of ensembles. It is easy to verify that such 
a definition is equivalent to the one given here. 
Iaz.c{V;YE) denotes the accessible information of the 
{cq}-state Pv(ye) which is obtained from pvye by com- 
bining the systems Y and E. 



[24] I(V; Y\Z) := H(V\Z) + H{Y\Z) - H(VY\Z) is the mu- 
tual information between V and Y given Z. 

[25] An alternative description of the state Pxye which clar- 
ifies the relation to the locking construction of Q is the 
following. For y £ {1, 2, 3}, let {[0} y , [l] v } denote the pro- 
jectors onto the eigenspaces of a y . Let R and Y be inde- 
pendent and uniformly distributed random variables on 
TZ := {0, l} m and y, respectively. For r € K and y SE y, 
let 

PE\(R,Y) = (r,y) ■= [ri] Vl ® • • • ® [r m ]y m . 

Finally, let X be the random variable on X defined by 
X := ©"=1 Ri, where © denotes addition modulo 2. It is 
then straightforward to check that the resulting condi- 
tional states PE\(x,Y)=Cx,y) are given by Í3l . 

[26] E y ^p Y [•] denotes the expectation over the vàlues y cho- 
sen according to the distribution Py ■ 

[27] That is, X = S n and Y = f(Si, . . . , 5„_i). 

[28] As we will consider one-time pad encryption with the 
key S, we assume for simplicity that S is a bitstring. 
Because the cardinality of the range of (X,Y) (i.e., 
{0, 1} x {1, 2, 3} m ) and S (i.e., {0, 1}") do not match, S 
is not perfectly uniformly distributed on the key space. 
However, a qualitatively identical statement with a per- 
fectly uniformly distributed key can be obtained by using 
an appropriate adaption of the one-time pad to keys and 
messages on the space X x y = {0,1} x {1, 2, 3} m . 

[29] For example, the first n — 1 bits of the message might be 
some redundant header information. 

[30] It has been shown in Q that a key S is secure in a strong 
sense if iJÜJ holds for a security parameter e which is ex- 
ponentially small in the key size. Our example shows that 
this exponential dependence is in fact necessary, thus an- 
swering an open question in |4J. Note, however, that mak- 
ing the security parameter e in © exponentially small 
comes at the cost of reducing the key rate substantially. 

[31] For two states p and a, \\p — o~\\ := 1/2 tr |p — a\ denotes 
the trace distance between p and a. 

[32] We refer to @ and 6] for a detailed description of privacy 
amplification in the context of quantum adversàries. 

[33] These security proofs usually make use of a similar rela- 
tion between the fidelity and the accessible information 
(see, e.g.Temma 1 and 2 given in the supplementary ma- 
terial of Q and the discussion in Footnote 28 of 8]). Sub- 
stituting this relation by Lemma 2] thus turns these ar- 
guments into proofs of security according to the stronger 
criterion (Definition |HJ| given above. 



